Amendments to the Claims: 



The listing of claims will replace all prior versions, and listings, of claims in the 
application. 

Listing of Claims 

1 . (Currently Amended) A system for maintaining security in a distributed 
computing environment, comprising: 

(1) a policy manager, coupled to a network, including a database for storing a 
security policy including a plurality of rules that control user access to applications; and 
a policy distributor, coupled to the database, for distributing the plurality of rules through 
the network; 

(2) a security engine located on a client coupled to the network and stored on a 
computer readable storage medium, said security engine storing a set of the plurality of 
rules constituting a local customized security policy received through the network from 
the policy distributor, and enforcing the local customized security policy with respect to 
an application at the client wherein enforcing the local customized security policy 
includes evaluating an access request by matching it to one or more of the plurality of 
rules of the local customized security policy and granting or denying access to the 
application based on the evaluation; and 

(3) the application, coupled to the security engine, wherein the security engine 
guards access to the particular application to which said security engine is coupled, 
each separate application in the system being guarded by a different access 
authorization service such that separate applications do not share authorization 
services; and wherein the security policy is updated by recording a series of incremental 
changes to the security policy, determining which of said incremental changes are 
applicable to said security engine, computing an accumulated delta that reflects the 
series of incremental changes applicable to said security engine and sending the 
accumulated delta to the security engine from the policy manager such that the security 
engine uses the accumulated delta to update the local customized security policy, 
wh e r e in e ach i ncr e m e nta l chang e to a s e cur i ty po li cy i nc l ud e s on e or mor e rul e 
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chang e s i n a s e cur i ty po li cy, and wh e r ei n th e accumu l at e d d el ta i s distribut e d w i th a 
v e rs i on of th e s e cur i ty po li cy to r e construct a pr e v i ous l y d i str i but e d l oca l custom i z e d 
s e cur i ty po li cy i n on e st e p, wh e r ei n th e accumu l at e d d el ta r e pr e s e nts comb i n e d e ff e ct 
of th e s e r ie s of i ncr e m e ntal chang e s to the security policy 

wherein a previously enforced version of the local customized security policy is 
reconstructed bv generating an accumulated reversing delta at the policy manager and 
sending the accumulated reversing delta to the security engine, wherein the 
accumulated reversing delta comprises a secuence of incremental changes in a reverse 
order . 

2. (Previously presented) The system of claim 1 , wherein the rules are stored 
separate from the application rather than being embedded in the application. 

3. (Previously presented) The system of claim 1 , wherein the security engine 
further comprises: 

an engine for evaluating a request to access the application based on the set of 
the plurality of rules; and 

an application programming interface (API) for enabling the application and the 
engine to communicate. 

4. (Original) The system of claim 3, wherein the security engine further 
comprises: a plug-in application programming interface (API) for extending capabilities 
of the security engine. 

5. (Original) The system of claim 1 , further comprising location means for 
enabling components in the system to locate each other through the network. 

6. (Original) The system of claim 1 , wherein the policy manager and the policy 
distributor are hosted on a first server, the security engine and the application are 
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hosted on a second server, and the first and second servers are communicatively 
coupled to each other through the network. 

7. (Currently Amended) A system for maintaining security for an application in a 
distributed computing environment, comprising: 

an engine located at a client coupled to a network and stored on a computer 
readable storage medium, the engine storing a set of rules constituting a local 
customized policy received through the network from a centralized location, and 
enforcing the local customized policy at an application level of the client; 

an interface coupled to the engine for evaluating the local customized policy in 
order to control access to an application at the client wherein evaluating the local 
customized policy includes matching an access request to one or more of the plurality of 
rules of the local customized policy and granting or denying access to the application 
based on the evaluation; and 

the application, coupled to the interface so as to communicate with the engine, 
wherein the engine guards access to the application that is coupled to said interface 
each separate application in the system being guarded by a different access 
authorization service such that separate applications do not share authorization 
services; 

wherein the local customized policy is updated by keeping track of incremental 
changes to the policy, determining which of said incremental changes are applicable to 
said engine, computing an accumulated delta that reflects all the incremental changes 
applicable to said engine and sending the accumulated delta to the engine from the 
centralized location such that the engine uses the delta to update the local customized 
policy, wh e r ei n e ach i ncr e m e ntal chang e to a policy includ e s on e or mor e ru le chang e s 
i n a po li cy, and wh e r ei n th e accumu l at e d d el ta i s d i str i but e d w i th a v e rs i on of th e 
s e cur i ty po li cy to reconstruct a pr e v i ous l y d i str i but e d l oca l custom i z e d secur i ty po li cy i n 
one step, where i n the accumu l ated de l ta r e pr e s e nts comb i n e d e ff e ct of th e s e r ie s of 
i ncr e m e nta l chang e s to th e s e cur i ty po li cy 
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wherein a previously enforced version of the local customized security policy is 
reconstructed bv generating an accumulated reversing delta at the centralized location 
and sending the accumulated reversing delta to the engine, wherein the accumulated 
reversing delta comprises a sequence of incremental changes in a reverse order . 

8. (Previously presented) The system of claim 7, wherein the engine stores the 
rules separate from the application rather than being embedded in the application. 

9. (Original) The system of claim 7, further comprising: a plug-in application 
programming interface (plug-in API) for extending capabilities of the security engine. 

10-20. (Canceled) 

21 . (Currently Amended) A method for maintaining security in a distributed 
computing environment, comprising: 

maintaining a policy manager coupled to a network, including a database for 
storing a security policy and a policy distributor, coupled to the database, for distributing 
a portion of the security policy through the network; 

maintaining a security engine located on a client coupled to the network, storing 
a local customized security policy received through the network from the policy 
distributor, and enforcing the local customized security policy with respect to an 
application at the client wherein enforcing the local customized security policy includes 
evaluating an access request by matching it to one or more of the plurality of rules of 
the local customized security policy and granting or denying access to the application 
based on the evaluation; and maintaining the application, coupled to the security 
engine, wherein the security engine guards access to the particular application to which 
said security engine is coupled, each separate application in the system being guarded 
by a different access authorization service such that separate applications do not share 
authorization services; and 
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receiving a series of incremental changes to the security policy at the policy 
manager; 

determining which of said series of incremental changes are applicable to said 

security engine; 

computing an accumulated delta that reflects the series of incremental changes 
that are applicable to said security engine; and 

distributing the accumulated delta to the security engine on the client wherein the 
security engine uses the delta to update the local customized security policy, wherein 
each incremental changes to a security policy includes one or more rule changes in a 
security policy, and wherein th e accumu l at e d d el ta i s d i str i but e d w i th a v e rs i on of th e 
s e cur i ty po li cy to r e construct a pr e v i ous l y d i str i but e d l oca l custom i z e d s e cur i ty po li cy i n 
on e st e p, wh e r e in th e accumu l at e d d el ta r e pr e s e nts comb i n e d e ff e ct of th e s e r ie s of 
i ncr e m e nta l chang e s to th e s e cur i ty po li c v a previously enforced version of the local 
customized security policy is reconstructed by generating an accumulated reversing 
delta at the policy manager and sending the accumulated reversing delta to the security 
engine, wherein the accumulated reversing delta comprises a seguence of incremental 
changes in a reverse order . 

22. (Previously presented) The method of claim 21 , further comprising: 

storing the accumulated delta in a policy change tracking table before distributing 
it to the security engine. 

23. (Previously presented) The method of claim 22, further comprising: 
reconstructing an updated local customized security policy back to a previously 

distributed version by using the accumulated delta stored in the policy change tracking 

table. 

24. (Previously presented) The method of claim 21 wherein the security policy 
includes a plurality of rules for controlling access to securable objects. 
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25. (Previously presented) The method of claim 24 wherein the series of 
incremental changes include at least one or more of adding a rule, deleting a rule and 
amending a rule. 

26. (Currently Amended) A method for maintaining security in a distributed 
computing environment, comprising: 

maintaining an engine at a client coupled to a network, the engine to store a set 
of rules constituting a local customized policy received through the network from a 
centralized location, and enforce the local customized policy at an application level of 
the client; 

maintaining an interface coupled to the engine for evaluating the local 
customized policy in order to control access to securable components wherein 
evaluating the local customized policy includes matching an access request to one or 
more of the set of rules of the local customized security policy and granting or denying 
access to the application based on the evaluation; and 

maintaining the application, coupled to the interface so as to communicate with 
the engine, wherein the engine guards access to the application that is coupled to said 
interface each separate application being guarded by a different access authorization 
service such that separate applications do not share authorization services; 

receiving a series of incremental changes to the set of rules at the centralized 
location; 

determining which of said incremental changes are applicable to said engine; 

computing an accumulated delta to reflect the series of incremental changes that 
are applicable to said engine; and 

communicating the accumulated delta to the engine at the client such that the 
engine employs the accumulated delta to update the local customized policy, 

wherein each incremental change to a policy includes one or more rule changes 
in a policy, and wherein a previously enforced version of the local customized security 
policy is reconstructed by generating an accumulated reversing delta and sending the 
accumulated reversing delta to the engine, wherein the accumulated reversing delta 
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comprises a sequence of incremental changes in a reverse orde r th e accumu l at e d d el ta 
i s d i str i but e d w i th a v e rs i on of th e s e cur i ty po li cy to r e construct a pr e v i ous l y d i str i but e d 
l oca l custom i z e d s e cur i ty po li cy i n on e st e p, wh e r ei n th e accumu l at e d d el ta r e pr e s e nts 
comb i n e d e ff e ct of th e s e r ie s of i ncr e m e nta l chang e s to th e s e cur i ty po li cy . 

27. (Previously presented) The method of claim 26, further comprising: 

storing the accumulated delta in a policy change tracking table before distributing 
it to the engine. 

28. (Previously presented) The method of claim 27, further comprising: 
reconstructing an updated local customized policy back to a previously 

distributed version by employing the accumulated delta stored in the policy change 
tracking table. 

29. (Previously presented) The method of claim 26 wherein the series of 
incremental changes include at least one or more of adding a rule, deleting a rule and 
amending a rule. 

30. (Currently Amended) A computer readable medium having instructions stored 
thereon which when executed by one or more processors cause a system to: 

maintain a policy manager coupled to a network, including a database storing a 
security policy and a policy distributor, coupled to the database, for distributing a portion 
of the security policy through the network; 

maintain a security engine located on a client coupled to the network, for storing 
a local customized security policy received through the network from the policy 
distributor, and enforcing the local customized security policy with respect to an 
application at the client wherein enforcing the local customized security policy includes 
evaluating an access request by matching it to one or more of the plurality of rules of 
the local customized security policy and granting or denying access to the application 
based on the evaluation; and 
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maintain the application, coupled to the security engine, wherein the security 
engine guards access to the particular application to which said security engine is 
coupled, each separate application being guarded by a different access authorization 
service such that separate applications do not share authorization services; and receive 
a series of incremental changes to the security policy at the policy manager; 

determine which of said series of incremental changes are applicable to said 
security engine; 

compute an accumulated delta that reflects the series of incremental changes 
applicable to said security engine; and 

distribute the accumulated delta to the security engine on the client wherein the 
security engine uses the delta to update the local customized security policy, 

wherein each incremental changes to a security policy includes one or more rule 
changes in a security policy, and wherein a previously enforced version of the local 
customized security policy is reconstructed by generating an accumulated reversing 
delta at the policy manager and sending the accumulated reversing delta to the security 
engine, wherein the accumulated reversing delta comprises a sequence of incremental 
changes in a reverse orde r th e accumu l ated d e lta is d i str i but e d w i th a v e rs i on of th e 
s e cur i ty po li cy to r e construct a pr e v i ous l y d i stribut e d l oca l custom i z e d s e cur i ty po li cy i n 
on e st e p, wher ei n th e accumu l at e d d el ta r e pr e s e nts comb i n e d e ff e ct of th e s e r ie s of 
i ncrem e nta l chang e s to th e s e cur i ty po li cy . 

31 . (Currently Amended) A computer readable medium having instructions stored 
thereon which when executed by one or more processors cause a system to: 

maintain an engine at a client coupled to a network, the engine to store a set of 

rules constituting a local customized policy received through the network from a 
centralized location, and enforce the local customized policy at an application level of 
the client; 

maintain an interface coupled to the engine evaluating the local customized 

policy in order to control access to securable components wherein evaluating the local 
customized policy includes matching an access request to one or more of the set of 
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rules of the local customized security policy and granting or denying access to the 
application based on the evaluation; and 

maintain the application, coupled to the interface so as to communicate with the 
engine, 

wherein the engine guards access to the application that is coupled to said 
interface each separate application being guarded by a different access authorization 
service such that separate applications do not share authorization services; 

receive a series of incremental changes to the set of rules at the centralized 
location; 

determine which of said series of incremental changes are applicable to said 
engine; 

compute an accumulated delta to reflect the series of incremental changes 
applicable to said engine; and 

communicate the accumulated delta to the engine at the client such that the 
engine employs the accumulated delta to update the local customized policy, 

wherein each incremental changes to a policy includes one or more rule changes 
in a policy, and wherein a previously enforced version of the local customized security 
policy is reconstructed bv generating an accumulated reversing delta and sending the 
accumulated reversing delta to the engine, wherein the accumulated reversing delta 
comprises a sequence of incremental changes in a reverse orde r th e accumu l at e d d e lta 
i s d i str i but e d w i th a version of th e s e curity policy to r e construct a pr e viously d i str i but e d 
l oca l custom i z e d s e cur i ty policy in on e st e p, wh e r ei n th e accumu l at e d d el ta r e pr e s e nts 
comb i ned offoct of tho sorios of i ncromonta l changes to tho socur i ty po li cy . 
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